Christopher Wolf, who co-chairs the Future of Privacy Forum, wrote an article on the state of the art in data protection and privacy law at the beginning of 2013, pointing out the main developments in the field of last year and sketching what could happen in the year that just began.

The article focuses on the European developments in the data protection legal regime, as “what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.”

Wolf writes about the main critiques the Regulation in its entirety faces, emerging especially from UK and also from France, but also discusses topical issues, such as “the right to be forgotten”.

In November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

According to the draft calendar published by the rapporteur of the European Parliament (EP) for the new data protection regulation, the legislative proposal will be voted in the plenary of the EP in 2014.

MEP Jan Philipp Albrecht wrote that the final schedule will be agreed with the other committees involved and will be adapted as the legislation proceeds.

Indicative calendar of public events or action points

29 May 2012, 15:00-18:30: LIBE Committee Workshop (industry, civil society and academia).
The workshop is open to all interested stakeholders. Logistics such as registration are handled by the LIBE secretariat. More information is available at the committee website. Please do not contact Jan Philipp Albrecht’s office on this.

The EDPS “welcomes the proposed Regulation as it constitutes a huge step forward for data protection in Europe” and “is particularly pleased to see that the instrument of a regulation is proposed for the general rules on data protection”.

However The EDPS is “seriously disappointed with the proposed Directive for data protection in the law enforcement area. The EDPS regrets that the Commission has chosen to regulate this matter in a self-standing legal instrument which provides for an inadequate level of protection, which is greatly inferior to the proposed Regulation”. That is an interesting point of view.

The greatest weakness is considered to be the perpetuation of “the lack of comprehensiveness of the EU data protection rules”. The EDPS considers the reform package “leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust.

Furthermore, the proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes”.

The main idea is that personal data have become so valuable for marketing companies – to say the least, that its potential value is already exploited by a few start-ups. “A number of start-ups allow people to take control — and perhaps profit from — the digital trails that they leave on the Internet”, writes NYT.

I think that handled carefully, with prudence, this idea could be the new big thing in online marketing.

Also have in mind that such innovations would impact cloud computing and data portability. The EU data protection reform presupposes the existence of a right to data portability in favor of the data subject (See Article 18 of the proposed Regulation).

First of all, this would mean that a right to data portability will propagate soon in other jurisdictions. Second of all, it means that the data subject gains more control on the set of data directly connected to he or she, being able to keep all of it in one place, as long as he or she knows he or she will be able to move the set of data whenever he or she finds a better service provider, or a better suited one for his or her needs. All of these indicates that value could be added to the set of one’s available personal data. So this is a trend to be observed in the future.

First of all, before analyzing the content of the reform, it’s important to underline that EC chose to draft a Regulation and not a Directive. Regulations have binding force for all the Member States and they don’t need implementation laws in the domestic systems! This means that once the Data Protection Regulation enters into force, it will enter into force in all the Member States and all the Member States will have identical data protection rules! Directives, on the other hand, were binding only regarding the purpose they provide, Member States being able to chose the way they wished to implement their provisions. This will not be the case for the new European data protection system.

Regarding the content of the reform, I am absolutely convinced that a lot of comments will be made in the forthcoming months. I did not have time to study it in detail, but I have seen that the much expected “right to be forgotten” is a part of the legislative proposal.

More precisely, Article 17 of the regulation provides the data subject’s right to be forgotten and to erasure. “It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the obligation of the controller which has made the personal data public to inform third parties on the data subject’s request to erase any links to, or copy or replication of that personal data. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking””, as shown in the document released today.

“Article 18 introduces the data subject’s right to data portability, i.e. to transfer data from one electronic processing system to and into another, without being prevented from doing so by the controller. As a precondition and in order to further improve access of individuals to their personal data, it provides the right to obtain from the controller those data in a structured and commonly used electronic format.”

I have also seen that most of the existing data subject’s rights were modified with the purpose of strengthening them.

I will return to the topic in the next days. Until then, here are some very useful links:

2012 is an important year for data protection, as EU, the global leader in data protection policies, is going to reform the system centered around Directive 95/46. The measures are expected to be launched for debate early this year, so they could enter into force in 2014.

In a recent article published on http://www.neurope.eu, Peter Hustinx, the European Data Protection Supervisor, provides some insights about the shape of the data protection reform, such as:

It should be clear that this is not the time to reinvent data protection. It has been invented and is now recognised as a fundamental right in the Lisbon Treaty. Instead, much attention should be given to making data protection more effective in practice.

Another point in this context is the need for greater harmonisation of rules across the EU. The present diversity of national rules is not helpful for effective data protection, and even counterproductive.

More effective data protection also requires that data subjects should be enabled to exercise their present rights more easily and should be given a few additional rights to protect their interests where needed. An interesting example is the right to require that personal data are deleted or transferred to another provider – the “right to be forgotten” or the “right to data portability” – which might be particularly useful in the context of social networks or other online services.

Strengthening the rights of data subjects would also require a clarification of the situations where consent is required and the conditions that have to be met for valid consent. A lack of clarity about this often leads to a weaker position of data subjects, particularly in the online environment.

Data controllers are now responsible for compliance with data protection rules, but in practice this often only leads to formal arrangements and responsibility “at the end” if something goes wrong. Instead, they should be mandated to be more active and to take all those measures which are necessary to ensure that data protection rules are complied with.

At this stage, it is also important to clearly define the external scope of EU data protection law. The concept that EU law should not only apply when the responsible data controller is established in Europe, but also when EU consumers are “targeted” – regardless from where over the Internet – seems to attract more and more support.

Wordpress.com uses cookies on this blog. I've limited them as much as customization allows me & I have no access to or control over the personal data they collect. Consent will be recorded after you click the button, and not just by mere scrolling. The widget doesn't provide an "I refuse" button & I'm writing to Wordpress to fix this. In the meantime, see their
Cookie Policy